Module 2.

4
More on Confinement Techniques
 An old example: chroot
Often used for guest accounts on ftp sites
To use do: (must be root)

chroot /tmp/guest root dir / is now /tmp/guest

su guest EUID set to guest

Now /tmp/guest is added to file system accesses for applications in jail

open(/etc/passwd, r) => open(/tmp/guest/etc/passwd , r)
application cannot access files outside of jail
 Jailkit
Problem: all utility progs (ls, ps, vi) must live inside jail
jailkit project: auto builds files, libs, and dirs needed in jail env
jk_init: creates jail environment $ wget
http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.
jk_check: checks jail env for security problems gz
checks for any modified programs, $ gunzip jailkit-2.19.tar.gz
checks for world writable directories, etc. $ tar xvf jailkit-2.19.tar
$ cd jailkit-2.19
jk_lsh: restricted shell to be used inside jail $./configure
$ make
$ make install
note: simple chroot jail does not limit network access
 Escaping from jails
Early escapes: relative paths

open( ../../etc/passwd, r)
open(/tmp/guest/../../etc/passwd, r)

chroot should only be executable by root.

otherwise jailed app can do:
create dummy file /aaa/etc/passwd
echo root::0:0::/:/bin/sh > /aaa/etc/passwd
mkdir /aaa/bin
cp /bin/sh /aaa/bin (bug in Ultrix 4.0)
run chroot /aaa
run su root to become root
 Many ways to escape jail as root

Create device that lets you access raw disk

Send signals to non chrooted process

Reboot system

Bind to privileged ports

 FreeBSD Jail
Where chroot jail was weak partitioning, FreeBSD
jail is strong partitioning
Create virtual machines.
Popularly used in ISPs.
 Freebsd jail
Stronger mechanism than simple chroot

To run: jail jail-path hostname IP-addr cmd

calls hardened chroot (no ../../ escape)
can only bind to sockets with specified IP address
and authorized ports
can only communicate with processes inside jail
root is limited, e.g. cannot load kernel modules
 Virtual OS on the Desktop
VMWare, Parallels, KVM, Xen
Different approaches
Hardware emulation
Emulation is where software is used to simulate hardware for a guest operating system to
run in. This has been used in the past but is difficult to do and offers low performance.

Native virtualization (with hardware)

Native virtualization (or full virtualization) is where a type-2 hypervisor is used to partially
allow access to the hardware and partially to simulate hardware in order to allow you to
load a full operating system. This is used by emulation packages like VMware Server,
Workstation, Virtual PC, and Virtual Server, Oracle Virtual Box

Paravirtualization
Paravirtualization is where the guest operating systems run on the hypervisor, allowing
for higher performance and efficiency. For more technical information and videos on this
topic, visit VMwaresTechnology Preview for Transparent Virtualization.Examples of
paravirtualization are Microsoft Hyper-V and VMware ESX Server.
 Not all programs can run in a jail
Programs that can run in jail:
audio player
web server

Programs that cannot:

web browser
mail client
 Problems with chroot and jail
Coarse policies:
All or nothing access to parts of file system
Inappropriate for apps like a web browser
Needs read access to files outside jail
(e.g. for sending attachments in Gmail)

Does not prevent malicious apps from:

Accessing network and messing with other machines
Trying to crash host OS